• No results found

Trapdoor Functions from the Computational Diffie-Hellman Assumption

N/A
N/A
Protected

Academic year: 2020

Share "Trapdoor Functions from the Computational Diffie-Hellman Assumption"

Copied!
30
0
0

Loading.... (view fulltext now)

Full text

(1)

Trapdoor Functions from the Computational Diffie-Hellman

Assumption

Sanjam Garg† Mohammad Hajiabadi‡

June 29, 2018

Abstract

Trapdoor functions (TDFs) are a fundamental primitive in cryptography. Yet, the current set of assumptions known to imply TDFs is surprisingly limited, when compared to public-key encryption. We present a new general approach for constructing TDFs. Specifically, we give a generic construction of TDFs from any Hash Encryption (D¨ottling and Garg [CRYPTO ’17]) satisfying a novel property which we call recyclability. By showing how to adapt current Com-putational Diffie-Hellman (CDH) based constructions of hash encryption to yield recyclability, we obtain the first construction of TDFs with security proved under the CDH assumption. While TDFs from the Decisional Diffie-Hellman (DDH) assumption were previously known, the possibility of basing them on CDH had remained open for more than 30 years.

1

Introduction

Trapdoor functions (TDFs) are a fundamental primitive in cryptography, historically pre-dating the complexity-based development of public key encryption (PKE) [DH76, RSA78]. Informally, TDFs are a family of functions, where each function in the family is easy to compute given the function’s index key, and also easy to invert given an associated trapdoor key. The security requirement is that a randomly chosen function from the family should be hard to invert without knowledge of a trapdoor key.

A salient difference between TDFs and PKE lies in their inversion (decryption) algorithms: while the inversion algorithm of a TDF recovers the entire pre-image in full, the decryption algorithm of a PKE only recovers the corresponding plaintext, and not necessarily the randomness. This full-input recovery feature of TDFs is useful in may applications. For example, suppose we have two image points y1 := F(ik1, x1) and y2 := F(ik2, x2) of a trapdoor function F, and we want to

convinceAlice — who is given bothy1 and y2 but only a trapdoor key tk1 forik1 — that x1 =x2.

This will be easy for Alice to do herself: retrieve x1 from y1 using the trapdoor key tk1 and check

whethery1=F(ik1, x1) andy2 =F(ik2, x1).1 This is a very useful property, especially in the context

Research supported in part from DARPA/ARL SAFEWARE Award W911NF15C0210, AFOSR Award FA9550-15-1-0274, AFOSR YIP Award, DARPA and SPAWAR under contract N66001-15-C-4065, a Hellman Award and research grants by the Okawa Foundation, Visa Inc., and Center for Long-Term Cybersecurity (CLTC, UC Berkeley). The views expressed are those of the author and do not reflect the official policy or position of the funding agencies.

University of California, Berkeley.

University of California, Berkeley and University of Virginia.

1Here we also need to assume that certifying whether a given point is in the domain of a trapdoor function can

(2)

of chosen-ciphertext (CCA2) security, and is in fact the main reason behind the success of building CCA2-secure PKE in a black-box way from various forms of TDFs [PW08, RS09, KMO10]. In contrast, enabling this technique based on PKE [NY90] requires the use of expensive non-interactive zero knowledge proofs [BFM90,FLS90], which in turn require strong assumptions and lead to non-black-box constructions.

The deterministic structure of TDFs, however, comes with a price, making the construction of TDFs more challenging than that of PKE. This belief is justified by an impossibility result of Gertner, Malkin and Reingold [GMR01] showing that TDFs cannot be built from PKE in a black-box way. As another evidence, while it was known from the 80’s how to build semantically-secure PKE from the Decisional Diffie-Hellman (DDH) assumption [Yao82, GM82, ElG84], it took two decades to realize TDFs based on DDH [PW08].

Despite the fundamental nature of TDFs and extensive research on them [BHSV98, BBO07, PW08,BFOR08,RS09,KMO10,FGK+10,Wee12] a long-standing question has remained open:

Can trapdoor functions be based on the Computational Diffie-Hellman (CDH) Assumption?

The main difficulty of the above question is that all known DDH-based constructions of TDFs, e.g., [PW08,FGK+10], exploit properties of DDH, such as pseudorandomness of low rank matrices of group elements, which do not hold in the CDH setting (see Section 1.1).

Apart from being a natural question, it has the following theoretical motivation: since we know that TDFs are not necessary in a black-box sense for PKE [GMR01], there may be computational assumptions that imply PKE but not TDFs. Thus, it is important to understand whether TDFs can be obtained from all existing computational assumptions that imply PKE. This provides insights into the hardness nature of TDFs as well as our computational assumptions.

1.1 Lack of CDH-Based Techniques for TDF

Diffie-Hellman related assumptions (even DDH) do not naturally lend themselves to a TDF con-struction. The main reason why it is more difficult to build TDFs from such assumptions, compared to, say, factoring related assumptions, is that we do not know of any generic trapdoors for the dis-crete log problem. Indeed, a long standing open problem in cryptography is whether PKE can be based on the sole hardness of the discrete log problem. To see how this makes things more difficult, consider ElGamal encryption: to encrypt a group elementgm under a public key (g, g1), we return

(gr, gr

1·gm), where r is a random exponent. The decryption algorithm can recover gm but not r

because computingr is as hard as solving the discrete log problem.

Known DDH-based TDF constructions [PW08, FGK+10] get around the above obstacle by designing their TDFs in such a way that during inversion, one will only need to solve the discrete log problem over a small space, e.g., recovering a bit b from gb. The main idea is as follows: the index key ik of their TDF isgM, where g is a generator of the group G of order p and M ∈Znp×n

is a random n×n invertible matrix and gM denotes entry-wise exponentiation. Let tk:=M−1 be the trapdoor key. Using ik, the evaluation algorithm on input x ∈ {0,1}n may use the algebraic

property of the group to compute y:=gMx ∈Gn. Now using tk and yone can compute gx

Gn,

hence retrieving x.

To argue about one-wayness, one uses the following property implied by DDH: the matrixgM is

computationally indistinguishable from a matrixgM1, whereM

(3)

the index key is now set togM1 and if we have 2np, then even an unbounded adversary cannot retrieve the original xfrom y. This argument is used to establish one-wayness for the TDF.

Unfortunately, the above rank indistinguishability property used to prove one-wayness is not known (and not believed) to be implied by CDH. Thus, designing TDFs based on CDH requires new techniques.

Finally, we mention that even from the Computational Bilinear Assumption [BB04] (i.e., pairing-based CDH) no TDF constructions are known. The closest is a result of Wee [Wee10], showing that trapdoor relations, which are much weaker than TDFs, can be built from CDH. Roughly, trapdoor relations are a relaxed version of TDFs, in that the function might not be efficiently computable on individual points but one may sample efficiently arandom input element together with its corresponding image.

1.2 Our Results and Techniques

We give the first construction of TDFs under the CDH assumption. Our construction is black-box and is obtained through a general construction of TDFs from a primitive we call arecyclable one-way function with encryption (OWFE), which we show can be realized under CDH.

OWFE notion. An OWFE is described by a one-way functionfpp:{0,1}n→ {0,1}ν, where pp

is a public parameter, together with encapsulation/decapsulation algorithms (E,D). Specifically,

E takes as input pp, an image y ∈ {0,1}ν of f

pp, an index i ∈ [n] and a selector bit b ∈ {0,1},

and produces an encapsulated ciphertextctand a corresponding key bit e∈ {0,1}. The algorithm

D allows anyone to retrieve e from ct using any pre-image x of y whose ith bit isb. For security,

letting y := fpp(x), we require that if (ct,e) ←−$ E(pp,y,(i, b)) and xi 6= b, then even knowing x

one cannot recover e from ct with a probability better than 12 +negl(λ), where λ is the security

parameter. That is, for any x ∈ {0,1}n, i [n], we have (x,ct,e) c (x,ct,e0), where e0 − {$ 0,1},

(ct,e) ←−$ E(pp,f(pp,x),(i,1−xi)) and c

≡ denotes computational indistinguishability. Our OWFE notion is a weakening of the chameleon-encryption notion [DG17b] in that we do not requiref to be collision resistant. Additionally, our notion requires only selective security in the sense that the security holds for a randomx (which should be chosen before seeing the public parameter), while chameleon encryption requires security even for adversarially chosen x. The following is a variant of the CDH-based construction of [DG17b]. This modification to [DG17b] has been made so as to enhance it with the recyclability property described later.

CDH-based instantiation of OWFE [DG17b]. LetGbe a group of prime orderp. The public

parameter is a 2×n matrix of random group elements pp := g1,0,g2,0,...,gn,0

g1,1,g2,1,...,gn,1

and y := f(pp,x ∈ {0,1}n) = Y

j∈[n] gj,xj.

To performE(pp,y,(i, b)), sampleρ←−$ Zp and return (ct,e), where

ct:=g

0

1,0,g02,0,...,g0n,0

g01,1,g02,1,...,g0n,1

, where gi,01−b :=⊥, g0i,b:=gi,bρ

(4)

and e := HC(yρ), where HC is a hardcore bit function. The function D is now derived easily. This construction differs from [DG17b] a bit. However, the proof of security is very similar and is provided in AppendixA for completeness.

Recyclability. Our recyclability notion asserts that the ciphertext part output, ct, of the key encapsulation algorithmEis independent of the corresponding image input party. That is, letting

E1 and E2 refer to the first and second output of E, for any values of y1 and y2, we always have E1(pp,y1,(i, b);ρ) = E1(pp,y2,(i, b);ρ). It is easy to verify that the above CDH-based OWFE

satisfies this property. Thus, we may drop yas an input to E1 and obtain the following:

Property 1. Letting x∈ {0,1}n,x

i =b,ct:=E1(pp,(i, b);ρ) andy:=f(pp,x) we have

D(pp,x,ct) =E2(pp,y,(i, b);ρ).

1.3 Sketch of our OWFE-Based Construction and Techniques

Let (K,f,E,D) be a recyclable OWFE scheme.2 Our TDF construction is based on a new technique that we callbits planting. Briefly, the input Xto our TDF consists of a domain elementx∈ {0,1}n

off(pp,·) and ablinding stringb∈ {0,1}n×r, for somer that we will specify later. The outputYis

comprised of y:=f(pp,x), as well as a matrix of bits in which we copy all the bits ofb in the clear but in hidden spots determined by x; we fill up the rest of the matrix with key bits that somehow correspond to bit-by-bit encryption of x under y. To an adversary, the matrix is “unrevealing,” with no indicative signs of what spots corresponding to the blinding part — which containbin the clear. However, using our designed trapdoor, an inverter can pull out bothxandbfrom Ywith all but negligible probability.

Warm-up construction. We first give a warm up construction in which our inversion algorithm only recovers half of the input bits (on average). Our TDF input is of the form (x,b)∈ {0,1}n×

{0,1}n. This warm-up construction contains most of the ideas behind the full-blown construction.

• Key generation: The trapdoor key istk:= ρ1,0,...,ρn,0

ρ1,1,...,ρn,1

a matrix of randomness values, and

the index key isik:=pp,ct1,0,...,ctn,0

ct1,1,...,ctn,1

, formed as:

ik:=pp,

ct1,0 :=E1(pp,(1,0);ρ1,0), . . . ,ctn,0 :=E1(pp,(n,0);ρn,0) ct1,1 :=E1(pp,(1,1);ρ1,1), . . . ,ctn,1 :=E1(pp,(n,1);ρn,1)

.

• EvaluationF(ik,X): Parseik:=pp, ct

1,0,...,ctn,0

ct1,1,...,ctn,1

and parse the inputXas (x∈ {0,1}n,b:=

b1· · ·bn∈ {0,1}n). Set y:=f(pp,x). For i∈[n] setMi as follows:

Mi :=

D(pp,x,cti,0) bi

=

E2(pp,y,(i,0);ρi,0) bi

ifxi= 0

Mi :=

bi

D(pp,x,cti,1)

=

bi

E2(pp,y,(i,1);ρi,1)

ifxi= 1

(1)

2

(5)

The matrixMi is computed using the deterministic algorithm D and the equalities specified

as= follow by Property (1).∗

Return Y:= (y,M1||. . .||Mn).

• Inversion F−1(tk,Y): ParseY:= (y,M1||. . .||Mn) and tk:= ρρ11,,01, ..., ρ, ..., ρn,n,01

. Set

(M01||. . .||M0n) :=

E2(pp,y,(1,0);ρ1,0), . . . ,E2(pp,y,(n,0);ρn,0) E2(pp,y,(1,1);ρ1,1), . . . ,E2(pp,y,(n,1);ρn,1)

. (2)

Output (x,b:=b1. . .bn), where we retrievexiandbias follows. IfM0i,1=Mi,1andM0i,26=Mi,2

(where Mi,1 is the first element of of Mi), then set xi := 0 and bi :=Mi,2. If M0i,1 6=Mi,1 and M0i,2 =Mi,2, then set xi:= 1 and bi :=Mi,1. Else, setxi :=⊥ andbi :=⊥.

One-wayness (sketch). We show (ik,Y)≡c (ik,Ysim), where (ik,Y) is as above and

Ysim:=y,

E2(pp,y,(1,0);ρ1,0), . . . ,E2(pp,y,(n,0);ρn,0) E2(pp,y,(1,1);ρ1,1), . . . ,E2(pp,y,(n,1);ρn,1)

.

Noting that we may produce (ik,Ysim) using onlyppandy, the one-wayness of f(pp,·) implies it is

hard to recoverxfrom (ik,Ysim), and so also from (ik,Y).

Why (ik,Y) ≡c (ik,Ysim)? Consider Ysim,1, whose first column is the same as Ysim and whose

subsequent columns are the same asY. We prove (x,ik,Y)≡c (x,ik,Ysim,1); the rest will follow using

a hybrid argument.

Letting M1 be formed as in Equations1, to prove (x,ik,Y)

c

≡(x,ik,Ysim,1) it suffices to show

x,

E1(pp,y,(1,0);ρ1,0) E1(pp,(1,1);ρ1,1)

,M1

c

≡x,

E1(pp,(1,0);ρ1,0) E1(pp,(1,1);ρ1,1)

,

E2(pp,y,(1,0);ρ1,0) E2(pp,y,(1,1);ρ1,1)

. (3)

We prove Equation3 using the security property of OWFE, which says

x,E1(pp,(1,1−x1);ρ),b0 c

≡(x,E1(pp,(1,1−x1);ρ),E2(pp,y,(1,1−x1);ρ)), (4)

where b0 ←− {$ 0,1} and ρ is random. We give an algorithm that converts a sample from either side of Equation 4 into a sample from the same side of Equation 3. On input (x,ct1,b1), sample

(ct2,b2) $

←−E(pp,y,(1,x1)) and

• ifx1 = 0, then return x, ctct21

, b2 b1 ;

• else ifx1 = 1, then return x, ctct12

,b1

b2

.

The claimed property of the converter follows by inspection. Finally, we mention that the argument used to prove Equation 3 is similar to a previous technique used by Brakerski et al. [BLSV18] to build circularly-secure PKE.

Correctness. F−1 recovers on average half of the input bits: F−1 fails for an index i ∈ [n] if bi = E2(pp,y,(i,1−xi);ρi,1−xi). This happens with probability

1

2 because bi is a completely

(6)

Boosting correctness. To boost correctness, we provide r blinding bits for each index i of

x∈ {0,1}n. That is, the input to the TDF is (x,b)∈ {0,1}n× {0,1}rn. We will also expandik by

providing r encapsulated ciphertexts for each position (i, b)∈[n]× {0,1}. This extra information will bring the inversion error down to 2−r. We will show that one-wayness is still preserved.

Hardcore bits. Having a TDF, we may use standard techniques to derive hardcore functions [GL89]. In Section Dwe show more direct ways of doing so.

On the role of blinding. One may wonder why we need to put a blinding string bin the TDF input. Why do not we simply let the TDF input bexand derive multiple key bits for every index iof xby applying Dto the corresponding ciphertexts provided for that positioniin the index key

ik; the inverter can still find the matching bit for every index. The reason behind our design choice is that by avoiding blinders, it seems very difficult (if not impossible) to give a reduction to the security of the OWFE scheme.

1.4 CCA2 Security

Rosen and Segev [RS09] show that an extended form of one-wayness for TDFs, which they term k-repetition security, leads to a black-box construction of CCA2-secure PKE. Informally, a TDF is k-repetition secure if it is hard to recover a random input Xfrom F(ik1,X), . . . ,F(ikk,X), where

ik1, . . . ,ikk are sampled independently. They show that k-repetition security, fork∈Θ(λ), suffices

for CCA2 security.

We give a CCA2 secure PKE by largely following [RS09], but we need to overcome two problems. The first problem is that our TDF is notk-repetition secure, due to the blinding part of the input. We overcome this by observing that a weaker notion of k-repetition suffices for us: one in which we should keep xthe same across allk evaluations but may sampleb freshly each time. A similar weakening was also used in [Pei09].

The second problem is that our inversion may fail with negligible probability for every choice of (ik,tk) and a bit care is needed here. In particular, the simulation strategy of [RS09] will fail if the adversary can create an image Y, which is a true image of a domain point X, but which the inversion algorithm fails to invert. To overcome this problem, we extend the notion of security required by OWFE, calling itadaptive OWFE, and show that if our TDF is instantiated using this primitive, it satisfies all the properties needed to build CCA2 secure PKE. However, we leave open the problem of realizing adaptive OWFE from CDH.

1.5 Discussion

(7)

Related work. Hajiabadi and Kapron [HK15] show how to build TDFs from any reproducible

circularly secure single-bit PKE. Informally, a PKE is reproducible if given a public key pk0, a public/secret key (pk,sk) and a ciphertext c := PKE.E(pk0,b0;r), one can recycle the randomness of c to obtain PKE.E(pk,b;r) for any bit b ∈ {0,1}. Brakerski et al. [BLSV18] recently built a circularly secure single-bit PKE using CDH. Their construction is not reproducible, however. (The following assumes familiarity with [BLSV18].) In their PKE, a secret keyxof their PKE is an input to their hash function and the public keyyis its corresponding image. To encrypt a bit bthey (a) additively secret-share b into (b1, . . . ,bn), where n = |x| and (b) form 2n ciphertext cti,b, where

cti,b encryptsbi usingyrelative to (i, b). Their scheme is not reproducible because the randomness

used for step (a) cannot be recycled and also half of the randomness used to create hash encryption ciphertexts in step (b) cannot be recycled. (This half corresponds to the bits of the target secret key w.r.t. which we want to recycle randomness.) It is not clear whether their scheme can be modified to yield reproducibility.

Open problems. Our work leads to several open problems. Can our TDF be improved to yield perfect correctness? Our current techniques leave us with a negligible inversion error. Can we build lossy trapdoor functions (LTDF) [PW08] from recyclable-OWFE/CDH? Given the utility of LTDFs, a construction based on CDH will be interesting. Can we build deterministic encryption based on CDH matching the parameters of those based on DDH [BFO08]?

2

Preliminaries

Notation. We use λ for the security parameter. We use ≡c to denote computational indistin-guishability between two distributions and use ≡to denote two distributions are identical. For a distributionD we usex←−$ Dto mean xis sampled according to Dand usey ∈Dto mean y is in the support of D. For a setS we overload the notation to use x←−$ S to indicate thatx is chosen uniformly at random fromS.

Definition 2.1(Trapdoor functions (TDFs)). Let w=w(λ)be a polynomial. A family of trapdoor functions TDF with domain{0,1}w consists of three PPT algorithms TDF.K, TDF.F and TDF.F−1

with the following syntax and security properties.

• TDF.K(1λ): Takes the security parameter1λand outputs a pair(ik,tk)of index/trapdoor keys.

• TDF.F(ik,X): Takes an index keyikand a domain elementX∈ {0,1}w and outputs an image

element Y.

• TDF.F−1(tk,Y): Takes a trapdoor key tk and an image element Y and outputs a value X ∈ {0,1}w∪ {⊥}.

We require the following properties.

• Correctness: For any (ik,tk)∈TDF.K(1λ)

Pr[TDF.F−1(tk,TDF.F(ik,X))6=X] =negl(λ), (5)

(8)

• One-wayness: For any PPT adversary A, we have Pr[A(ik,Y) = X] = negl(λ), where

(ik,tk)←−$ TDF.K(1λ), X←− {$ 0,1}w andY=TDF.F(ik,X).

A note about the correctness condition. Our correctness notion relaxes that of perfect correctness by allowing the inversion algorithm to fail (with respect to any trapdoor key) for a negligible fraction of evaluated elements. This relaxation nonetheless suffices for all existing applications of perfectly-correct TDFs. Our correctness notion, however, implies a weaker notion under which the correctness probability is also taken over the choice of the index/trapdoor keys. This makes our result for constructing TDFs stronger.

Definition 2.2 (Computational Diffie-Hellman (CDH) assumption). Let G be a group-generator scheme, which on input 1λ outputs(

G, p, g), whereGis the description of a group,p is the order of the group which is always a prime number andgis a generator of the group. We say thatGis CDH-hard if for any PPT adversaryA: Pr[A(G, p, g, ga1, ga2) =ga1a2] =negl(λ), where(G, p, g)←−$ G(1λ) and a1, a2 ←−$ Zp.

3

Recyclable One-Way Function with Encryption

We will start by defining the notion of a one-way function with encryption. This notion is similar to the chameleon encryption notion of D¨ottling and Garg [DG17b]. However, it is weaker in the sense that it does not imply collision-resistant hash functions.

Next, we will define a novel ciphertext-randomness recyclability property for one-way function with encryption schemes. We will show that a variant of the chameleon encryption construction of D¨ottling and Garg [DG17b] satisfies this ciphertext-randomness recyclability property.

3.1 Recyclable One-Way Function with Encryption

We provide the definition of a one-way function with encryption. We define the notion as a key-encapsulation mechanism with single bit keys.

Definition 3.1 (One-way function with encryption (OWFE)). An OWFE scheme consists of four PPT algorithms K, f, E andD with the following syntax.

• K(1λ): Takes the security parameter 1λ and outputs a public parameter pp for a function f from nbits to ν bits.

• f(pp,x): Takes a public parameterpp and a preimagex∈ {0,1}n, and outputs y∈ {0,1}ν.

• E(pp,y,(i, b);ρ): Takes a public parameter pp, a valuey, an indexi∈[n], a bitb∈ {0,1}and randomness ρ, and outputs a ciphertext ct and a bit e.3

• D(pp,x,ct): Takes a public parameterpp, a valuexand a ciphertextct, and deterministically outputs e0 ∈ {0,1} ∪ {⊥}.

We require the following properties.

(9)

• Correctness: For any pp∈ K(1λ), any i∈ [n], any x∈ {0,1}n and any randomness value

ρ, the following holds: letting y := f(pp,x), b := xi and (ct,e) := E(pp,y,(i, b);ρ), we have

e=D(pp,x,ct).

• One-wayness: For any PPT adversary A:

Pr[f(pp,A(pp,y)) =y] =negl(λ),

where pp←−$ K(1λ), x←− {$ 0,1}n and y:=f(pp,x).

• Security for encryption: For anyi∈[n] and x∈ {0,1}n:

(x,pp,ct,e)≡c (x,pp,ct,e0)

where pp←−$ K(1λ),(ct,e)←−$ E(pp,f(pp,x),(i,1−xi)) and e0

$

←− {0,1}.

Definition 3.2(Recyclability). We say that an OWFE scheme(f,K,E,D)is recyclable if the follow-ing holds. Lettfollow-ing E1 andE2 refer to the first and second output ofE, the value ofE1(pp,y,(i, b);ρ) is always independent of y. That is, for any pp ∈ K(1λ), y1,y2 ∈ {0,1}ν, i ∈ [n], b ∈ {0,1} and randomness ρ: E1(pp,y1,(i, b);ρ) =E1(pp,y2,(i, b);ρ).

We now conclude the above definitions with two remarks.

Remark 3.3 (Simplified recyclability). Since under the recyclability notion the ciphertext output ct of E is independent of the input value y, when referring to E1, we may omit the inclusion of y as an input and writect=E1(pp,(i, b);ρ).

Remark 3.4. If the function f(pp,·) is length decreasing (e.g., f(pp,·) : {0,1}n 7→ {0,1}n−1), then the one-wayness condition of Definition 3.1is implied by the combination of the security-for-encryption and correctness conditions. In our definition, however, we do not place any restriction on the structure of the function f, and it could be, say, a one-to-one function. As such, under our general definition, the one-wayness condition is not necessarily implied by those two other conditions.

3.2 Construction from CDH

We give a CDH-based construction of a recyclable OWFE based on a group scheme G (Defini-tion 2.2), which is a close variant of constructions given in [CDG+17,DG17b].

• K(1λ): Sample (G, p, g)←−$ G(1λ). For eachj ∈[n] andb∈ {0,1}, choose gj,b

$

←−G. Output

pp:=G, p, g,

g1,0, g2,0, . . . , gn,0 g1,1, g2,1, . . . , gn,1

. (6)

• f(pp,x): Parse ppas in Equation 6, and output y:= Y

j∈[n] gj,xj.

(10)

1. For every j∈[n]\{i}, set cj,0:=gρj,0 and cj,1:=gρj,1.

2. Setci,b :=gi,bρ and ci,1−b :=⊥.

3. Sete:=HC(yρ).4

4. Output (ct,e) wherect:=

c1,0, c2,0, . . . , cn,0 c1,1, c2,1, . . . , cn,1

.

• D(pp,x,ct): Parse ct:=

c1,0, c2,0, . . . , cn,0 c1,1, c2,1, . . . , cn,1

. OutputHC(Y

j∈[n] cj,xj).

We prove the following lemma in Appendix A.

Lemma 3.5. Assuming that G is CDH-hard andn∈ω(logp), the construction described above is a one-way function with encryption scheme satisfying the recyclability property.

4

TDF Construction

In this section we describe our TDF construction. We first give the following notation.

Extending the notation for D. For a given pp, a sequencect:= (ct1, . . . ,ctr) of encapsulated

ciphertexts and a value x, we defineD(pp,x,ct) to be the concatenation ofD(pp,x,cti) fori∈[r].

AlgorithmPerm. For two listsu1 andu2and a bitbwe definePerm(u1,u2, b) to output (u1,u2) ifb= 0, and (u2,u1) otherwise.

Construction 4.1 (TDF construction). We now describe our TDF construction.

Base primitive. A recyclable OWFE scheme E= (K,f,E,D). Let Rand be the randomness space of the encapsulation algorithm E.

Construction. The construction is parameterized over two parameters n = n(λ) and r = r(λ), where n is the input length to the function f, and r will be instantiated in the correctness proof. The input space of each TDF is {0,1}n+nr. We will make use of the fact explained in Note 3.3.

• TDF.K(1λ):

1. Sample pp←K(1λ).

2. For each i∈[n] and selector bitb∈ {0,1}:

ρi,b:= (ρ(1)i,b, . . . , ρi,b(r))←−$ Randr

cti,b:= (E1(pp,(i, b);ρ(1)i,b), . . . ,E1(pp,(i, b);ρ(i,br))).

4We assume that theHC(·) is a hardcore bit function. If a deterministic hard-core bit for the specific function is

(11)

3. Form the index key ik and the trapdoor key tk as follows:

ik:= (pp,ct1,0,ct1,1, . . . ,ctn,0,ctn,1) (7)

tk:= pp,ρ1,01,1, . . . ,ρn,0n,1. (8)

• TDF.F(ik,X):

1. Parse ik as in Equation 7 and parse

X:= (x∈ {0,1}n,b1∈ {0,1}r, . . . ,bn∈ {0,1}r).

2. Set y:=f(pp,x).

3. For all i∈[n] set

ei:=D(pp,x,cti,xi).

4. Return

Y:= y,Perm(e1,b1,x1), . . . ,Perm(en,bn,xn)

.

• TDF.F−1(tk,Y):

1. Parse tk as in Equation 8 and Y:= (y,bg1,0,bg1,1, . . . ,bgn,0,bgn,1).

2. Reconstruct x := x1· · ·xn bit-by-bit and b := (b1, . . . ,bn) vector-by-vector as follows.

Fori∈[n]:

(a) Parseρi,0:= (ρ(1)i,0, . . . , ρ(i,r0)) and ρi,1 := (ρ(1)i,1, . . . , ρ(i,r1)). (b) If

g bi,0 =

E2(pp,y,(i,0);ρ(i,01)), . . . ,E2(pp,y,(i,0);ρ(i,0r))

and

g bi,1 6=

E2(pp,y,(i,1);ρ(i,11)), . . . ,E2(pp,y,(i,1);ρ(i,1r))

, (9)

then setxi = 0 and bi=gbi,1. (c) Else, if

g bi,0 6=

E2(pp,y,(i,0);ρ(i,01)), . . . ,E2(pp,y,(i,0);ρ(i,0r))

and

g bi,1 =

E2(pp,y,(i,1);ρ(i,11)), . . . ,E2(pp,y,(i,1);ρ(i,1r))

, (10)

then setxi = 1 and bi=gbi,0. (d) Else, halt and return ⊥.

3. If y6=f(pp,x), then return ⊥. Otherwise, return (x,b).

(12)

Lemma 4.2 (TDF correctness). The inversion error of our constructed TDF is at most 2nr. That is, for any (ik,tk)∈TDF.K(1λ) we have

β := Pr[TDF.F−1(tk,(TDF.F(ik,X)))6=X]≤ n

2r, (11)

where the probability is taken over X:= (x,b1, . . . ,bn)

$

←− {0,1}n+nr. By choosing r ω(logλ) we

will have a negligible inversion error.

For one-wayness we will prove something stronger: parsingX:= (x, . . .), then recovering anyx0

satisfying f(pp,x) =f(pp,x0) from (ik,TDF.F(ik,X)) is infeasible.

Lemma 4.3 (TDF one-wayness). The TDF (TDF.K,TDF.F,TDF.F−1) given in Construction 4.1 is one-way. That is, for any PPT adversary A

Pr[A(ik,Y) =x0 andf(pp,x0) =y] =negl(λ), (12)

where(ik:= (pp, . . .),tk)←−$ TDF.K(1λ),X:= (x, . . .)←− {$ 0,1}n+nr andY:= (y, . . .) :=TDF.F(ik,X).

By combining Lemmas 3.5, 4.2and 4.3we will obtain our main result below.

Theorem 4.4 (CDH implies TDFs). There is a black-box construction of TDFs from CDH-hard groups.

4.1 Proof of Correctness: Lemma 4.2

Proof of Lemma 4.2. LetX:= (x,b1, . . . ,bn)

$

←− {0,1}n+nr be as in the lemma and

Y:=TDF.F(ik,X) := (y,b1g,0,b1g,1, . . . ,bgn,0,bgn,1). (13)

By design, for alli∈[n]: b^i,1−xi =bi. Parse

tk:= ρ1,01,1, . . . ,ρn,0n,1,

ρi,b := (ρ(1)i,b, . . . , ρ(i,br)), fori∈[n] and b∈ {0,1}.

Consider the execution of TDF.F−1(tk,Y). By the correctness of our recyclable OWFE scheme E

we have the following: the probability that TDF.F−1(tk,Y) 6= X is the probability that for some

i∈[n]:

bi =

E2(pp,y,(i,1−xi);ρ(1)i,1−xi), . . . ,E2(pp,y,(i,1−xi);ρ (r)

i,1−xi)

. (14)

Now since bi, for all i, is chosen uniformly at random and independently of x, the probability of

the event in Equation14 is 21r. A union bound overi∈[n] gives us the claimed error bound.

4.2 Proof of One-wayness: Lemma 4.3

(13)

Definition 4.5. Fix pp, x ∈ {0,1}n and y := f(pp,x). We define two PPT algorithms Real and

Sim, where Real takes as input (pp,x) and Sim takes as input (pp,y). We stress that Sim does not take xas input.

The algorithmReal(pp,x)outputs(CT,E)and the algorithmSim(pp,y)outputs(CT,Esim), sam-pled in the following way.

• Sample

ρ1,0, . . . , ρn,0

ρ1,1, . . . , ρn,1

$

←−Rand2×n.

• Set

CT:=

ct1,0, . . . ,ctn,0

ct1,1, . . . ,ctn,1

:=

E1(pp,(1,0);ρ1,0), . . . ,E1(pp,(n,0);ρn,0)

E1(pp,(1,1);ρ1,1), . . . ,E1(pp,(n,1);ρn,1)

.

• Set

E:=

b1,0, . . . ,bn,0

b1,1, . . . ,bn,1

,

where, for all i∈[n]:

– if xi = 0, then bi,0 :=D(pp,x,cti,0) and bi,1 $

←− {0,1}. – if xi = 1, then bi,0

$

←− {0,1} and bi,1 :=D(pp,x,cti,1).

• Set

Esim:=

E2(pp,y,(1,0);ρ1,0), . . . ,E2(pp,y,(n,0);ρn,0)

E2(pp,y,(1,1);ρ1,1), . . . ,E2(pp,y,(n,1);ρn,1)

We now prove the following lemma which will help us to prove the indistinguishability of the two hybrids in our main proof.

Lemma 4.6. Fix polynomial r:=r(λ) and let x∈ {0,1}n. We have

(pp,x,CT1,E1, . . . ,CTr,Er) c

≡(pp,x,CT1,Esim,1, . . . ,CTr,Esim,r), (15)

where pp←−$ K(1λ), and for alli∈[r],(CTi,Ei)

$

←−Real(pp,x) and(CTi,Esim,i)

$

←−Sim(pp,f(pp,x)).

Proof. Fix x∈ {0,1}n and let y:=f(pp,x). For the purpose of doing a hybrid argument we define

two algorithmsSRealand SSimbelow.

• SReal(i,pp,x): sampleρ0, ρ1

$

←−Rand and return (ct,e), where

ct:= ct0 ct1 :=

E1(pp,(i,0);ρ0)

E1(pp,(i,1);ρ1)

(16)

and e is defined as follows:

– ifxi = 0, then e:=

D(pp,x,ct0) b

, where b←− {$ 0,1};

– ifxi = 1, then e:=

b

D(pp,x,ct1)

(14)

• SSim(i,pp,y): Return (ct,esim), wherectis sampled as in Equation16 and

esim :=

E2(pp,y,(i,0);ρ0)

E2(pp,y,(i,1);ρ1)

.

We will show that for all i∈[n] and x∈ {0,1}n

(pp,x,ct,e)≡c (pp,x,ct,esim), (17)

where

pp←−$ K(1λ), (ct,e)←−$ SReal(i,pp,x) and (ct,esim) $

←−SSim(i,pp,f(pp,x)).

From Equation 17 using a simple hybrid argument the indistinguishability claimed in the lemma (Equation15) is obtained. Note that for the hybrid argument we need to make use of the fact that thatxis provided in both sides of Equation17, because we need to knowxto be able to build the intermediate hybrids between those of Equation15. Thus, in what follows we will focus on proving Equation 17.

To prove Equation 17, first note that by the correctness of the OWFE schemeE, we have

(pp,x,ct,e)≡(pp,x,ct,e0),

wherect and eare sampled according to SReal(i,pp,x) as above (using randomness values ρ0 and ρ1), ande0 is sampled as:

• ifxi = 0, then e0 :=

E2(pp,y,(i,0);ρ0)

b

, where b←− {$ 0,1};

• ifxi = 1, then e0 :=

b

E2(pp,y,(i,1);ρ1)

, where b←− {$ 0,1}.

Thus, we will prove

(pp,x,ct,e0)≡c (pp,x,ct,esim). (18) We derive Equation18 from the security-for-encryption requirement of the scheme (K,f,E,D).

Recall that the security for encryption requirement asserts that no PPT adversary can

distin-guish between (x,ct1,e1) and (x,ct1,e2), wherepp←−$ K(1λ),(ct1,e1)←−$ E(pp,f(pp,x),(i,1−xi)) and

e2 $

←− {0,1}. Let us call (x,ct1,e1) the simulated challenge and (x,ct1,e2) the random challenge.

To give the reduction we present a procedureTurnwhich generically turns a simulated challenge into a sample ofSSim(i,pp,x) and turns a random challenge into a sample of SReal(i,pp,y).

The algorithm Turn(x,ct,e) returns (ct1,e1), formed as follows:

• Sampleρ←−$ Rand. Then

– ifxi = 0, then return

ct1=

E1(pp,(i,0);ρ) ct

e1 =

E2(pp,y,(i,0);ρ) e

(15)

– ifxi = 1, then return

ct1=

ct E1(pp,(i,0);ρ)

e1 =

e

E2(pp,y,(i,0);ρ)

It should be clear by inspection that the output of Turn(x,ct,e) is identically distributed to

SReal(i,pp,x) if (x,ct,e) is a random challenge (defined above), and identically distributed to

SSim(i,pp,x) if (x,ct,e) is a simulated challenge. The proof is now complete.

Proof of Lemma 4.3. To prove Lemma4.3we define two hybrids and will use the notationviewi to

refer to the view sampled in Hybridi.

Hybrid 0. The view (ik,Y) is produced honestly as in the real executions of the scheme TDF. That is,

• Samplepp←−$ K(1λ),x←− {$ 0,1}n and lety:=f(pp,x).

• For allj∈[r] sample (CT(j),E(j))←−$ Real(pp,x). Parse

CT(j):= ct

(j) 1,0, . . . ,ct

(j)

n,0 ct(1j,1), . . . ,ct(n,j)1

!

E(j):= b

(j) 1,0, . . . ,b

(j)

n,0 b(1j,1), . . . ,b(n,j)1

! .

• For alli∈[n] and d∈ {0,1} set

cti,d := (ct(1)i,d, . . . ,ct(i,dr))

bi,d := (b(1)i,d, . . . ,b(i,dr)).

• Form the view (ik,Y) as follows:

((pp,ct1,0,ct1,1, . . . ,ctn,0,ctn,1)

| {z }

ik

,(y,b1,0,b1,1, . . . ,bn,0,bn,1)

| {z }

Y

) (19)

Hybrid 1. The view (ik,Y) is produced the same as Hybrid 0 except that for all j ∈ [r] we sample (CT(j),E(j)) now as (CT(j),E(j))←−$ Sim(pp,y).

We prove that the two views above are indistinguishable and then we will show that inverting the image under view1 is computationally infeasible.

Indistinguishability of the views: By Lemma 4.6 we haveview0

c

≡view1. The reason is that

the view in either hybrid is produced entirely based on (CT(1),E(1), . . . ,CT(r),E(r)) and that this tuple is sampled from the distributionReal(pp,x) in one hybrid and fromSim(pp,y) in the other.

One-wayness in Hybrid 1: We claim that for any PPT adversaryA

Pr[A(view1) =x0 and f(pp,x0) =y] =negl(λ). (20)

Recall that view1 := (ik,Y) is the view in Hybrid 1 and that the variables pp and y are part of ik:= (pp, . . .) andY:= (y, . . .). The proof of Equation20follows from the one-wayness off, taking into account the fact thatview1 in its entirety is produced solely based onppandy:=f(pp,x) (and

especially without knowing x). This is because all the underlying variables (CT(j),E(j)) — for all

(16)

Completing the Proof of Lemma 4.3. Let view0 := (ik,Y) and parse ik := (pp, . . .) and Y := (y, . . .). For any PPT adversary A we need to show that the probability that A on input

view0 outputs x0 ∈ {0,1}n such that f(pp,x0) =y is negligible. We know that B fails to compute

such a string x0 with non-negligible probability if the view ((pp, . . .),(y, . . .)) is sampled according toview1. Since view0

c

≡view1, the claim follows.

4.3 Extended One-Wayness

For our CCA2 application we need to prove a stronger property than the standard one-wayness for our constructed TDF. This extension requires that if we evaluate mcorrelated inputs under m independent functions from the TDF family, the result still cannot be inverted.

Lemma 4.7 (m-Extended one-wayness). Let TDF = (TDF.K,TDF.F,TDF.F−1) be the TDF built in Construction 4.1 based on an arbitrary parameter r = r(λ). Let m := m(λ). For any PPT adversaryA

Pr[A(view:= (ik1, . . . ,ikm,Y1, . . . ,Ym)) =x] =negl(λ),

wherex←− {$ 0,1}nand fori[m],(ik i,tki)

$

←−TDF.K(1λ),bi

$

←− {0,1}nrandY

i:=TDF.F(iki,x||bi).

Thus, there exists a hardcore functionHCsuch thatHC(x) is pseudorandom in the presence ofview.

Proof. For any PPT adversary A we need to show that the probability that A(view) outputs xis negligible. It is easy to verify by inspection that the distribution of view can be perfectly formed based on the view (ik∗,Y∗) of an inverter against the standard one-wayness of the trapdoor function (TDF.K,TDF.F,TDF.F−1) of Construction 4.1but under the new parameterr0 =m×r. Invoking Lemma4.3 our claimed one-wayness extension follows.

5

CCA2-Secure Public-Key Encryption

In this section we show that an adaptive version of the notion of recyclable OWFE gives rise to a black-box construction of CCA2-secure PKE. We will first define this adaptive version in Section5.1 and will then give the construction. We should also point out that it is not clear whether the CDH-based construction given in Section 3.2 can be proved adaptively secure. We leave this as an open problem. The goal of this section is purely theoretical, showing the versatility of an adaptive strengthening of the OWFE notion.

5.1 Adaptive One-Way Function with Encryption

For our CCA construction we need to work with an adaptive version of the notion of OWFE. Recall by Note 3.3 that a ciphertext ct does not depend on the corresponding y. The security for encryption notion (Definition 3.1) says if (ct,e) is formed using an image y := f(pp,x) and parameters (i, b), and if xi 6=b, then even knowingx does not help an adversary in distinguishing

e from a random bit. The adaptive version of this notion allows the adversary to choose x after seeing ct. This notion makes sense because ct does not depend on the imagey, and so ct may be chosen first.

(17)

• Adaptive Security: For any PPT adversaryA the probability that AdapOWFE[t= 1](E,A)

outputs 1 is 12 +negl(λ), where the experiment AdapOWFE[t] is defined in Fig. 1.

Experiment AdapOWFE[t](E,A:= (A1,A2,A3)):

1. (i∗ ∈[n], b∗ ∈ {0,1},st1) $

←− A1(1λ) 2. Samplepp←−$ K(1λ) andρ1, . . . , ρt

$

←− {0,1}∗

3. Setct1 :=E1(pp,(i∗, b∗);ρ1),. . . ,ctt:=E1(pp,(i∗, b∗);ρt)

4. (x,st2) $

←− A2(st1,pp,ct1, . . . ,ctt).

5. Ifxi∗ =b∗, HALT.

6. Forj ∈[t]: ej :=E2(pp,y,(i∗, b∗);ρj), wherey=f(pp,x).

7. ch←− {$ 0,1}. Ifch= 0, sete0 := (e1, . . . ,et); else, e0

$

←− {0,1}t.

8. out←− A$ 3(st2,e0).

9. Output 1 if out=chand 0 otherwise.

Figure 1: TheAdapOWFE[t](E,A) Experiment

We remind the reader that in Step 3 of Fig. 1 the algorithm E1 does not take any y as input

because of Note3.3. The following lemma is obtained using a straightforward hybrid argument, so we omit the proof.

Lemma 5.2. LetE = (K,f,E,D) be an adaptive OWFE scheme. For any polynomialt:=t(λ) and any PPT adversary A, we havePr[AdapOWFE[t](E,A) = 1]≤ 1

2+negl(λ).

5.2 CCA2 PKE from Recyclable Adaptive OWFE

Notation. LetTDF:= (TDF.K,TDF.F,TDF.F−1) be as in Section4. We will interpret the input

X to the TDF as (x,s), where x ∈ {0,1}n corresponds to f’s pre-image part and s ∈ {0,1}n1 corresponds to theblinding part. In particular, if r is the underlying parameter of the constructed TDF as in Construction4.1, thenn1 =n×r.

Ingredients of our CCA2-secure PKE. Apart from a TDF with the above syntax, our CCA2 secure construction also makes use of a one-time signature scheme SIG= (SIG.K,SIG.Sign,SIG.Ver) with prefect correctness, which in turn can be obtained from any one-way function. See AppendixC for the description of this notion.

Our CCA2 primitive. We will build a CCA2 secure single-bit PKE, which by the result of [Ms09] can be boosted into many-bit CCA2 secure PKE. Since we deal with single-bit CCA2 PKE, we may assume without loss of generality that the CCA adversary issues all her CCA oracles after seeing the challenge ciphertext.

(18)

Construction 5.3(IND-CCA2-secure PKE). The construction is parameterized over a parameter m:= m(λ), which denotes the size of the verification key of the underlying signature schemeSIG. Let HC be a bit-valued hardcore function whose existence was proved in Lemma 4.7.

• PKE.K(1λ): For i ∈ [m] and b ∈ {0,1}, sample (ikbi,tkbi) ←−$ TDF.K(1λ). Form (pk,sk) the public/secret key as follows:

pk:= (ik01,ik11, . . . ,ik0m,ik1m), sk:= (tk01,tk11, . . . ,tk0m,tk1m). (21)

• PKE.E(pk,b): Parse pk as in Equation 21. Sample (vk,sgk) ←−$ SIG.K(1λ), x ←− {$ 0,1}n and

set

X1:= (x,s1 $

←− {0,1}n1), . . . , X

m := (x,sm

$

←− {0,1}n1). (22)

Let b0=b⊕HC(x) and for i∈[m]let Yi =TDF.F(ikvki i,Xi). Return

c:= vk,Y1, . . . ,Ym,b0,SIG.Sign(sgk,Y1||. . .||Ym||b0)

. (23)

• PKE.D(sk,c): Parse sk as in Equation21 and parse

c:= (vk,Y1, . . . ,Ym,b0, σ). (24)

1. Set msg:=Y1|| · · ·Ym||b0. If SIG.Ver(vk,msg, σ) =⊥, then return ⊥.

2. Otherwise, for i ∈ [m] set Xi := TDF.F−1(tkivki,Yi). Check that for all i ∈ [n]: Yi =

TDF.F(ikvki

i ,Xi). If not, return ⊥.

3. If there exists x∈ {0,1}n and s

1, . . . ,sm∈ {0,1}n1 such that for alli∈[m],Xi = (x,si),

then return b0⊕HC(x). Otherwise, return ⊥.

Correctness. Assuming that the underlying signature scheme SIG = (SIG.K,SIG.Sign,SIG.Ver) is correct and also that the underlying TDF (TDF.K,TDF.F,TDF.F−1) is correct in the sense of

Definition2.1, the above constructed PKE is correct in a similar sense: for any (pk,sk)∈PKE.K(1λ) and plaintext bit b ∈ {0,1} we have Pr[PKE.D(sk,PKE.E(pk,b))] = negl(λ). The proof of this is straightforward.

5.3 Proof of CCA2 Security

We will prove the following theorem.

Theorem 5.4(CCA2-secure PKE from recyclable adaptive OWFE). Let(TDF.K,TDF.F,TDF.F−1)

be the TDF that results from Construction4.1 based on a recyclable OWFE(K,f,E,D). Assuming

(K,f,E,D) is adaptively secure, the PKE given in Construction 5.3 is CCA2 secure.

We need to show that the probability of success of any CCA2 adversary is the CCA2 game is at most 12 +negl(λ). Fix the adversary A in the remainder of this section. We give the following event that describes exactly the success ofA.

Event Success. Sample (pk,sk) ←−$ PKE.K(1λ), bplain $

←− {0,1} and c ←−$ PKE.E(pk,bplain). Run

(19)

Roadmap. To prove Theorem 5.4, in Section 5.3.1 we define a simulated experiment Sim and we show that the probability of success of any CCA2 adversary in this experiment is 12 +negl(λ). Next, in Section 5.3.2we will show that the probabilities of success of any CCA2 adversary in the real and simulated experiments are negligibly close, establishing Theorem 5.4.

5.3.1 Simulated CCA2 Experiment

We define a simulated way of doing the CCA2 experiment. Roughly, our simulator does not have the full secret key (needed to reply to CCA2 queries of the adversary), but some part of it. Our simulation is enabled by a syntactic property of our constructed TDF. We first state the property and then prove that it is satisfied by our TDF. We require the existence of an efficient algorithm

Recoverfor our constructed TDF (TDF.K,TDF.F,TDF.F−1) that satisfies the following property.

Algorithm Recover: The input to the algorithm is an index keyik, a pre-fix input x∈ {0,1}n

and a possible image Y. The output of the algorithm is X∈ {0,1}n+n1∪ {⊥}. As for correctness we requite the following. For any (ik,∗) ∈ TDF.K(1λ), x ∈ {0,1}n and Y both the following two

properties hold:

1. If there exists nos∈ {0,1}n1 such that TDF.F(ik,x||s) =Y, thenRecover(ik,x,Y) =.

2. If for somes,TDF.F(ik,x||s) =Y, thenRecover(ik,x,Y) returns (x,s).

Lemma 5.5 (Existence of Recover). There exists an efficient algorithm Recover with the above properties for our constructed TDF .

Proof. To build Recover, first parse the given inputs as follows: ik = (pp, . . .), x ∈ {0,1}n and

Y:= (y,bg1,0,bg1,1, . . . ,bgn,0,bgn,1). Do the following steps:

1. For alli∈[n] set bi:=b^i,1−xi.

2. Lets=b1|| · · · ||bn

3. Check ifY=TDF.F(ik,x||s). If the check holds, return (x,s). Otherwise, return ⊥.

The correctness of the algorithm Recoverfollows by inspection.

We now define our simulation algorithm.

Sim(ik1, . . . ,ikm,Y1, . . . ,Ym,b): The simulated experiment differs from the real experiment in that

the challenger does not know the trapdoor keys of half of the index keys that are given to the CCA adversary as part of the public key. The challenger, however, tries to produce accurate answers based on her partial knowledge.

Formally, do the following steps.

1. Initializing the CCA adversary:

(a) Sample (vk,sgk)←−$ SIG.K(1λ). (b) For alli∈[m] setikvki

i :=iki and sample (ik1−i vki,tk

1−vki

i )

$

(20)

(c) Sample a challenge bitbplain $

←− {0,1}and let b1 :=bplain⊕b. Set

msg:=Y1|| · · · ||Ym||b1.

Sampleσ ←−$ SIG.Sign(sgk,msg) and set

pk:= (ik01,ik11, . . . ,ik0m,ik1m), c:= (vk,Y1, . . . ,Ym,b1, σ).

Run the CCA2 adversary Aon (pk,c). 2. Simulating the CCA responses:

Respond to a CCA2-oracle queryc0 := (vk0,Y10, . . . ,Y0m,b0, σ0) as follows:

(a) Letting msg0 :=Y01|| · · · ||Y0m||b0 ifSIG.Ver(vk0,msg0, σ0) =⊥, then return⊥. Otherwise, ifvk0 =vk, then halt and return ⊥.

(b) Otherwise, let Qconsist all of all indices i∈[m] for which we have vk0i6=vki. Fori∈Q

setX0i:=TDF.F−1(tkvk 0 i

i ,Y

0

i) and check ifY0i=TDF.F(ik vk0i

i ,X

0

i); if this fails for anyi∈Q,

then return⊥. Now if there existsx0 ∈ {0,1}nsuch that for alliQwe haveX0

i = (x0,∗)

then continue with the following steps and otherwise return⊥. i. for all j∈[m]\Q, let X0j :=Recover(ikvk

0 j

j ,x0,Yj0). Reply to the queryc0 withHC(x0)

if for allj we have X0j 6=⊥; otherwise, reply to the query with ⊥.

3. Forming the output of the experiment: The experiment outputs 1 if A outputs bplain;

otherwise, the experiments outputs 0.

Event Successsim. The event that Sim(ik1, . . . ,ikm,Y1, . . . ,Ym,b) outputs 1 where x

$

←− {0,1}n,

b:=HC(x) and fori∈[m], (iki,tki)←−$ TDF.K(1λ),si ←− {$ 0,1}nr and Yi:=TDF.K(iki,x||si).

We show that the probability of the event Successsim is 12 +negl(λ). We will then show in the

next section that the probability of the eventSuccessis close to that ofSuccesssim, hence obtaining

our main result.

Lemma 5.6.

α:= Pr[Successsim]≤

1

2 +negl(λ). (25)

Proof. This lemma follows by Lemma4.7. Suppose the input toSimis sampled exactly as done in the eventSuccesssim, except that we sampleb

$

←− {0,1}(instead of setting b:=HC(x)). In this case the output of the simulation is 1 with probability 1/2. Now Lemma4.7implies thatα= 12+negl(λ) (Equation25), and the proof is complete.

5.3.2 Relating the Simulated and Real Experiments

We will now show that the probabilities of the events Success and Successsim are negligibly close,

hence obtaining Theorem5.4from Lemma5.6. To this end, we define below two events Forgeand

Spoof, and show that the difference of the probabilities of Success and Successsim is at most the

(21)

Event Forge: In the experimentSim(ik1, . . . ,ikm,Y1, . . . ,Ym,b) we letForgebe the event that A

issues a CCA2 query

c0 := (vk0,Y01, . . . ,Ym0 ,b0, σ0)

such that vk = vk0 and Ver(vk,Y10|| · · · ||Y0m||b0, σ0) = >. Recall that vk is part of the challenge ciphertext c:= (vk, . . .) given to the adversary.

Informally, the event Spoof below describes a situation in which a decryption query during the execution of Sim is answered with a non ⊥ string, but the same query may be replied to with⊥

under the real decryption oracle.

Event Spoof: Let c := (vk, . . .) be the challenge ciphertext formed during the execution of

Sim(ik1, . . . ,ikm,Y1, . . . ,Ym,b). We letSpoof be the event thatA issues a CCA2 query

c0 := (vk0,Y01, . . . ,Ym0 ,b0, σ0)

for which the following holds. LetQ be the set of indicesi∈[m] for which we have vki 6=vk0i. For

someh∈Q and for some w∈[m]\Qwe have

1. TDF.F−1(tkvk 0 h

h ,Y

0

h) = (x0,∗)6=⊥; and

2. s0j :=Recover(ikvk0w

w ,x0,Yw0 )=6 ⊥butTDF.F−1(tk vk0w

w ,Yw0 ) =⊥.

We will now prove the following three lemmas.

Lemma 5.7. We have

|Pr[Success]−Pr[Successsim]| ≤Pr[Forge] + Pr[Spoof].

Lemma 5.8.

Pr[Forge]≤negl(λ).

Lemma 5.9.

Pr[Spoof]≤negl(λ).

Let us first derive the proof of Theorem5.4 and then prove each of the lemmas.

Proof of Theorem 5.4. Follows from Lemmas 5.6 and 5.7, taking into account the fact that the experimentReal(1λ) is the real CCA2 experiment.

We prove Lemmas 5.7and 5.8and will prove Lemma5.9 in Section5.3.3.

Proof of Lemma 5.7. First of all, note that the input (pk,c) given to the CCA2 adversary under the simulated experiment is identically distributed to that under the real CCA2 experiment. Thus, any possible difference between the simulated and real experiments must be due to the ways in which decryption queries are answered. We will now show that if at any point a decryption query is answered to differently under Sim and Real, then eitherForge or Spoof must happen. First, in order for a queryc0 to be answered differently, either (1) the queryc0 is replied to with⊥underSim

(22)

b0 ∈ {0,1} under Sim and with 1−b0 under Real. The reason for this is that if both experiments reply to a query with something other than⊥, then the underlying recovered pre-imagex0 must be the same, hence both will end up replying with the same bit.

Let c := (vk, . . .) be the challenge ciphertext of the underlying CCA2 adversary and c0 := (vk0,msg0, σ0) be an issued query. We now consider all possible cases:

• IfSim replies toc0 := (vk0,msg0, σ0) with⊥, then one of the following must hold.

1. SIG.Ver(vk0,msg0, σ0) =⊥: in this case Realalso replies to with⊥;

2. SIG.Ver(vk0,msg0, σ0) => andvk=vk0: in this case the event Forgehappens; 3. Simreturns⊥as a result of Step2bof the execution ofSim: that is,TDF.F−1(tkvk0i

i ,Yi0) =

⊥: in this caseRealalso replies with⊥.

4. Sim replies with ⊥ as a result of Step 2(b)i: in this case by correctness of Recover we will know Realwill also reply with⊥.

• If Real replies to c0 with ⊥ and Sim replies to c0 with some b0 ∈ {0,1}, then we may easily verify that the eventSpoof must necessarily hold. We omit the details.

Proof of Lemma 5.8. Suppose Pr[Forge]>negl(λ). We show how to build an adversary B against the one-time unforgeability property ofSIG= (SIG.K,SIG.Sign,SIG.Ver). Build BSgnOracle[sgk](·)(vk)

as follows. Sample the input (ik1, . . . ,ikm,Y1, . . . ,Ym,b) to Sim and form the tuple msg as in

the execution of Sim on this input. Then request a signature σ for the message msg by calling

SgnOracle[sgk](·) on msg. Form (pk,c) as in Simand run the CCA2 adversary Aon (pk,c). Letq be the number queries that A asks. Choosei ←−$ [q] to be a guess for the index of the first query for which the eventForgeoccurs and output the pair of message/signature contained in that query. Note that B can perfectly reply to all the previous i−1 queries ofA, because all of those can be replied to without knowingsgk. Ifα:= Pr[Forge], then B will win with probability at least αq.

5.3.3 Proof of Lemma 5.9

The proof of Lemma5.9is based on a property of our TDF that we now state and prove. Informally, if the OWFE scheme used in our TDF construction is adaptively secure, then the constructed TDF has the property that given a random index key ik, it is infeasible to produce an image element which is in the range of the trapdoor functionTDF.F(ik,·), but which “inverts” to⊥.

Lemma 5.10. Let TDF= (TDF.K,TDF.F,TDF.F−1) be the TDF built in Section 4, with the un-derlying parameter r:=r(λ)∈ω(logλ), based on a recyclable OWFE schemeOWFE= (K,f,E,D). Assuming OWFE is adaptive (Definition 5.1), for any PPT adversary A:

Pr[(X,Y)←− A$ (ik) s.t. Y=TDF.F(ik,X),TDF.F−1(tk,Y) =⊥] =negl(λ), (26)

(23)

Proof. Let Surprisebe the event of the lemma. Parse

ik:= (pp,ct1,0,ct1,1, . . . ,ctn,0,ctn,1),tk:= (ρ1,0,ρ1,1, . . . ,ρn,0,ρn,1), (27)

and for all i0∈[n] and b0 ∈ {0,1} parse

cti0,b0 := (ct(1)

i0,b0, . . . ,ct (r)

i0,b0) (28)

ρi0,b0 := (ρ(1)i0,b0, . . . , ρ (r)

i0,b0).

Recall that for all i0∈[n], b0∈ {0,1}and j∈[r] we have

ct(i0j,b)0 =E1(pp,(i0, b0);ρ(i0j,b)0). (29)

Also, parse (X,Y), the output ofA(ik), as

X:= (x∈ {0,1}n,b

1∈ {0,1}r, . . . ,bn∈ {0,1}r) (30)

Y:= (y,b1,0 ∈ {0,1}r,b1,1∈ {0,1}r, . . . ,bn,0 ∈ {0,1}r,bn,1 ∈ {0,1}r).

If the eventSurprisehappens, then by definition we haveY=TDF.F(ik,X) andTDF.F−1(tk,Y) =

⊥. Thus, by definition of TDF.F−1, for somei∈[n] we must have

bi =

E2(pp,y,(i,1−xi);ρ(1)i,1−xi), . . . ,E2(pp,y,(i,1−xi);ρ (r)

i,1−xi)

. (31)

We show how to use Equation 31 to break the adaptive security ofOWFE.

We show how to build an adversary against the adaptive security of OWFE in the sense of

Lemma 5.2. Sample i ←−$ [n] and b ←− {$ 0,1} — The value of b will serve as a guess bit for 1−xi (see Equation 31). Give the pair (i, b) to the challenger to receive (pp,ct1, . . . ,ctr). Set

cti,b:= (ct1, . . . ,ctr) and sample all othercti0,b0, for (i0, b0)6= (i, b), as in Equation28 and form the

indexikas in Equation 27. CallA(ik) to receive (X,Y) and parse them as in Equation30. Ifxi =b

then return ⊥. Otherwise, give x to the challenger to receive some e0 ∈ {0,1}r. If e0 = b

i, then

return 0, and otherwise return 1.

If the probability of the event Surprise is non-negligible, then A wins with a probability non-negligibly greater than 12. The reason is ife0 was generated uniformly at random from{0,1}r, then

the probability thate0 =bi is 21r =negl(λ). On the other hand, ife0 was generated as a result of

true encapsulation encryptions (see the description of the game in Lemma5.2), then the probability thate0 =bi is the probability of the event in Equation31, which is non-negligible. Thus, we break

the adaptive security ofOWFE, a contradiction to Lemma 5.2.

Proof of Lemma 5.9. The proof of this lemma follows easily from Lemma 5.10, so we will give a sketch of the proof. Let β := Pr[Spoof]. We show how to build an adversary B in the sense of Lemma5.10 that wins with probability polyβ(λ).

Recall h andw from the eventSpoof. The adversary B(ik) acts as follows.

1. Sample (vk,sgk)←−$ SIG.K(1λ).

(24)

3. Setikvkw

w :=ik. Also, sample (ik

1−vkw

w ,tk

1−vkw

w )

$

←−TDF.K(1λ)

4. For alli∈[m]\ {w} andb∈ {0,1}, sample (ikbi,tkbw)←−$ TDF.K(1λ).

5. Samplex←− {$ 0,1}n,b:=HC(x) and for i[m],Y

i :=TDF.K(ikvki i,x||si).

6. Samplebplain $

←− {0,1} and setb1:=bplain⊕b.

7. Set the challenge public key and ciphertext (pk,c) as in Simand run the CCA2 adversary A

on (pk,c).

Now guess η to be the index of the first query of A that causes Spoof to happen and guess

h ←−$ [m] be the underlying index defined in the event Forge. Note that B can perfectly simulate the response all the first η−1 queries ofA as in Sim. The reason is that B has the trapdoor key for all ik1−vki

i , and so it can perform as in Sim.

The ηth query. Letting the ηth query be

c0 := (vk0,Y01, . . . ,Ym0 ,b0ciph, σ0)

B acts as follows: it sets (x0,sh) :=TDF.F−1(tk vk0h

h ,Y

0

h) and sets X

0

w:= Recover(ik,x0,Yw0 ). Finally,

B returns (X0w,Y0w).

It is now easy to verify ifSpoof occurs and that all the guesses of the adversaryBwere correct (i.e., the guessed values forh,wandvk0w) — which happens with probabilitypoly1(λ)— the adversary

B wins in the sense of Lemma5.10.

6

Acknowledgments

We would like to thank the anonymous reviewers for their useful comments, and thank Nico D¨ottling, Mohammad Mahmoody and Adam O’Neill for useful discussions. We specially thank Nico for pointing out that our construction of recyclable OWFE does not achieve adaptive security which is needed for our CCA2 construction.

References

[BB04] Dan Boneh and Xavier Boyen. Secure identity based encryption without random oracles. In Matthew Franklin, editor, CRYPTO 2004, volume 3152 of LNCS, pages 443–459, Santa Barbara, CA, USA, August 15–19, 2004. Springer, Heidelberg, Germany. 3

[BBO07] Mihir Bellare, Alexandra Boldyreva, and Adam O’Neill. Deterministic and efficiently searchable encryption. In Alfred Menezes, editor,CRYPTO 2007, volume 4622 ofLNCS, pages 535–552, Santa Barbara, CA, USA, August 19–23, 2007. Springer, Heidelberg, Germany. 2

(25)

[BFO08] Alexandra Boldyreva, Serge Fehr, and Adam O’Neill. On notions of security for de-terministic encryption, and efficient constructions without random oracles. In David Wagner, editor, CRYPTO 2008, volume 5157 ofLNCS, pages 335–359, Santa Barbara, CA, USA, August 17–21, 2008. Springer, Heidelberg, Germany. 7

[BFOR08] Mihir Bellare, Marc Fischlin, Adam O’Neill, and Thomas Ristenpart. Deterministic encryption: Definitional equivalences and constructions without random oracles. In David Wagner, editor, CRYPTO 2008, volume 5157 of LNCS, pages 360–378, Santa Barbara, CA, USA, August 17–21, 2008. Springer, Heidelberg, Germany. 2

[BHSV98] Mihir Bellare, Shai Halevi, Amit Sahai, and Salil P. Vadhan. Many-to-one trapdoor functions and their relation to public-key cryptosystems. In Hugo Krawczyk, editor,

CRYPTO’98, volume 1462 of LNCS, pages 283–298, Santa Barbara, CA, USA, Au-gust 23–27, 1998. Springer, Heidelberg, Germany. 2

[BLSV18] Zvika Brakerski, Alex Lombardi, Gil Segev, and Vinod Vaikuntanathan. Anonymous IBE, leakage resilience and circular security from new assumptions. In Jesper Buus Nielsen and Vincent Rijmen, editors, EUROCRYPT 2018, Part I, volume 10820 of

LNCS, pages 535–564, Tel Aviv, Israel, April 29 – May 3, 2018. Springer, Heidelberg, Germany. 5,6,7

[CDG+17] Chongwon Cho, Nico D¨ottling, Sanjam Garg, Divya Gupta, Peihan Miao, and Antigoni

Polychroniadou. Laconic oblivious transfer and its applications. In Jonathan Katz and Hovav Shacham, editors, CRYPTO 2017, Part II, volume 10402 ofLNCS, pages 33–65, Santa Barbara, CA, USA, August 20–24, 2017. Springer, Heidelberg, Germany. 9

[DG17a] Nico D¨ottling and Sanjam Garg. From selective IBE to full IBE and selective HIBE. In Yael Kalai and Leonid Reyzin, editors,TCC 2017, Part I, volume 10677 ofLNCS, pages 372–408, Baltimore, MD, USA, November 12–15, 2017. Springer, Heidelberg, Germany. 6

[DG17b] Nico D¨ottling and Sanjam Garg. Identity-based encryption from the Diffie-Hellman assumption. In Jonathan Katz and Hovav Shacham, editors, CRYPTO 2017, Part I, volume 10401 of LNCS, pages 537–569, Santa Barbara, CA, USA, August 20–24, 2017. Springer, Heidelberg, Germany. 3,4,6,8,9,29

[DH76] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Trans-actions on Information Theory, 22(6):644–654, 1976. 1

[DRS04] Yevgeniy Dodis, Leonid Reyzin, and Adam Smith. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In Christian Cachin and Jan Ca-menisch, editors,EUROCRYPT 2004, volume 3027 ofLNCS, pages 523–540, Interlaken, Switzerland, May 2–6, 2004. Springer, Heidelberg, Germany. 30

[ElG84] Taher ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. In G. R. Blakley and David Chaum, editors, CRYPTO’84, volume 196 of

(26)

[FGK+10] David Mandell Freeman, Oded Goldreich, Eike Kiltz, Alon Rosen, and Gil Segev. More constructions of lossy and correlation-secure trapdoor functions. In Phong Q. Nguyen and David Pointcheval, editors,PKC 2010, volume 6056 ofLNCS, pages 279–295, Paris, France, May 26–28, 2010. Springer, Heidelberg, Germany. 2

[FLS90] Uriel Feige, Dror Lapidot, and Adi Shamir. Multiple non-interactive zero knowledge proofs based on a single random string (extended abstract). In31st FOCS, pages 308– 317, St. Louis, Missouri, October 22–24, 1990. IEEE Computer Society Press. 2

[GL89] Oded Goldreich and Leonid A. Levin. A hard-core predicate for all one-way functions. In21st ACM STOC, pages 25–32, Seattle, WA, USA, May 15–17, 1989. ACM Press. 6, 10,29

[GM82] Shafi Goldwasser and Silvio Micali. Probabilistic encryption and how to play mental poker keeping secret all partial information. In 14th ACM STOC, pages 365–377, San Francisco, CA, USA, May 5–7, 1982. ACM Press. 2

[GMR01] Yael Gertner, Tal Malkin, and Omer Reingold. On the impossibility of basing trapdoor functions on trapdoor predicates. In 42nd FOCS, pages 126–135, Las Vegas, NV, USA, October 14–17, 2001. IEEE Computer Society Press. 2

[HK15] Mohammad Hajiabadi and Bruce M. Kapron. Reproducible circularly-secure bit encryp-tion: Applications and realizations. In Rosario Gennaro and Matthew J. B. Robshaw, editors, CRYPTO 2015, Part I, volume 9215 of LNCS, pages 224–243, Santa Barbara, CA, USA, August 16–20, 2015. Springer, Heidelberg, Germany. 7

[KMO10] Eike Kiltz, Payman Mohassel, and Adam O’Neill. Adaptive trapdoor functions and chosen-ciphertext security. In Henri Gilbert, editor, EUROCRYPT 2010, volume 6110 of LNCS, pages 673–692, French Riviera, May 30 – June 3, 2010. Springer, Heidelberg, Germany. 2

[Ms09] Steven Myers and abhi shelat. Bit encryption is complete. In50th FOCS, pages 607–616, Atlanta, GA, USA, October 25–27, 2009. IEEE Computer Society Press. 17

[NY90] Moni Naor and Moti Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. In22nd ACM STOC, pages 427–437, Baltimore, MD, USA, May 14– 16, 1990. ACM Press. 2

[Pei09] Chris Peikert. Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In Michael Mitzenmacher, editor, 41st ACM STOC, pages 333–342, Bethesda, MD, USA, May 31 – June 2, 2009. ACM Press. 6

[PW08] Chris Peikert and Brent Waters. Lossy trapdoor functions and their applications. In Richard E. Ladner and Cynthia Dwork, editors, 40th ACM STOC, pages 187–196, Victoria, British Columbia, Canada, May 17–20, 2008. ACM Press. 2,7

(27)

[RSA78] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signature and public-key cryptosystems. Communications of the Association for Computing Machinery, 21(2):120–126, 1978. 1

[Wee10] Hoeteck Wee. Efficient chosen-ciphertext security via extractable hash proofs. In Tal Rabin, editor, CRYPTO 2010, volume 6223 of LNCS, pages 314–332, Santa Barbara, CA, USA, August 15–19, 2010. Springer, Heidelberg, Germany. 3

[Wee12] Hoeteck Wee. Dual projective hashing and its applications - lossy trapdoor functions and more. In David Pointcheval and Thomas Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS, pages 246–262, Cambridge, UK, April 15–19, 2012. Springer, Heidelberg, Germany. 2

[Yao82] Andrew Chi-Chih Yao. Theory and applications of trapdoor functions (extended ab-stract). In 23rd FOCS, pages 80–91, Chicago, Illinois, November 3–5, 1982. IEEE Computer Society Press. 2

A

Proof of Lemma

3.5

Proof. We prove that all the required properties hold.

One-wayness. The fact that fpp for a random ppis one-way follows by the discrete-log hardness

(and hence CDH hardness) of G. Let g∗ be a random group element for which we want to find

r∗ such that gr∗ =g. Sample i 1

$

←− [n] and b1 $

←− {0,1} and set gi1,b1 := g

. For all i [n] and

b∈ {0,1} where (i, b)6= (i1, b1), sample ri,b

$

←−Zp and set gi,b :=gri,b. Set pp:=

g1,0, . . . , gn,0 g1,1, . . . , gn,1

.

Samplex0 at random from{0,1}n subject to the condition thatx0

i1 = 1−b1. Set y:=

Q

j∈[n]gj,x0 j.

Call the inverter adversary on (pp,y) to receive x ∈ {0,1}n. Now if n ω(logp), then by the

leftover hash lemma with probability negligibly close to 12 we havexi1 =b1, allowing us to find r

from ri,b’s.

Recyclability. We need to show that the ciphertext outputct of E is independent of the input valuey. This follows immediately by inspection.

Security for encryption. AssumingGis CDH-hard, we show that the scheme provides

security-for-encryption in the sense of Definition3.1. For the sake of contradiction, suppose that for some

x∈ {0,1}n and i[n] there exists an adversaryA

owfe which can distinguish between (x,pp,ct,e)

and (x,pp,ct,e0), where pp←−$ K(1λ),(ct,e)←−$ E(pp,f(pp,x),(i∗,1−xi∗)) ande0←− {$ 0,1}.

In the sequel, fix i∗ and x and let b∗ := xi∗. We build an adversary Acdh that can

distin-guish between the hardcore bit of the CDH challenge and a random bit, hence breaking the CDH assumption.

Description of the CDH adversary Acdh(g, g1, g2,b). Assuming g2 = gr for some unknown

Figure

Figure 1: The AdapOWFE[t](E, A) Experiment

References

Related documents

An estimate of the mass flow rate through the stack was based on a balance between the driving pressure due to the buoyant force of the air and the pressure drop due to turbulent

Sales location, product type, number of advertising methods used, high-speed Internet connection, land tenure arrangement, and gross farm sales is found to be significantly related

At temperatures above 572°F / 300°C, this product can decompose to form hydrogen fluoride (HF), but HF will only accumulate with continuous exposure to excessive heat in a

This book is intended to be a practical guide for using RDF data in information processing, linked data, and semantic web applications using both the AllegroGraph product and the

Proposition 103 specifically refers to only several parts of the administrative rate review process: Section 1861.05, subdivision (b) provides that an insurer which desires to

A1c: Hemoglobin A1c; BMI: Body mass index; CDC: Centers for Disease Control and Prevention; CDC-RTI: CDC-RTI Diabetes Cost-effectiveness Markov model; CDW: Corporate Data

Jenis- jenis data skalar bahasa pengaturcaraan AMAL adalah sama dengan jenis data skalar yang terdapat di dalam bahasa Pascal, iaitu: sahib, integer, boolean, aksara dan

As shown in Figure 2.5, regardless of the ancillary ligands, all catalysts afforded approximately the same activity (TONs between 30 and 40) and complexes 8-11 performed as